Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ftpupd.exe infected by NULL corrupter


  • Please log in to reply
10 replies to this topic

#1 Reena

Reena

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:12:47 AM

Posted 10 October 2008 - 02:06 PM

mwav scanner tells me that I have a virus :

C:\Windows\system32\ftpupd.exe infected by NULL corrupter.

I have run Avira Antivirus Personal and it tells me my PC is clean. So does McAfee's Stinger.

I run Windows XP
Internet Explorer 7
Adaware Home Edition SE
Spybot Search & destroy
Super AntiSpyware Professional
Spyware Blaster
Advanced Windows Care

How do I get rid of this "virus", please? Your help would be appreciated.
My thanks
Reena

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 10 October 2008 - 02:52 PM

I notice you are running

Adaware Home Edition SE

; I beleive this stopped updating some months ago?

Have you tried running a scan with malawarebytes

http://www.bleepingcomputer.com/forums/ind...st&p=959453

and are you running the latest definitions of stinger??
http://vil.nai.com/VIL/stinger/

#3 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:12:47 AM

Posted 10 October 2008 - 03:02 PM

Ruby wrote:

I believe this stopped updating some months ago?


Mine keeps being updated.

I have the latest version of Sting.

Is AVG 8 better than Avira?

Have you tried running a scan with malawarebytes?


I'll do so! Thanks, Ruby.

#4 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:12:47 AM

Posted 10 October 2008 - 03:53 PM

Several "infections" were found and dealt with by malawarebytes.

A second scan said all was well. ftpupd.exe was not mentioned.

Strange!

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:47 PM

Posted 10 October 2008 - 08:26 PM

Hello please post the infected MBAM log and the last,thank you.


The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:12:47 AM

Posted 11 October 2008 - 04:44 AM

Stupidly I accidentally deleted the log file. I will scan again some time today. My thanks.

#7 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:12:47 AM

Posted 12 October 2008 - 03:07 PM

Hello, again.

Here are the results of two scans:

Malwarebytes' Anti-Malware 1.28
Database version: 1261
Windows 5.1.2600 Service Pack 3

10/12/2008 20:38:34
mbam-log-2008-10-12 (20-38-34).txt

Scan type: Quick Scan
Objects scanned: 59493
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\rundll16.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\system32\vcmgcd32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\logo1_.exe (Worm.Viking) -> Delete on reboot.
C:\WINDOWS\system32\systems.txt (Trojan.FakeAlert) -> Delete on reboot.

.............

Malwarebytes' Anti-Malware 1.28
Database version: 1261
Windows 5.1.2600 Service Pack 3

10/12/2008 20:56:18
mbam-log-2008-10-12 (20-56-18).txt

Scan type: Quick Scan
Objects scanned: 58950
Time elapsed: 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

As noted, these were deleted on reboot and have also switched off System restore and created a new restore point.

I hope these are of help to you.

#8 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 12 October 2008 - 03:53 PM

That appears to be a clean scan result plus you have turned System Restore back on? :thumbsup:

#9 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:12:47 AM

Posted 12 October 2008 - 04:18 PM

Thank you. I hope you are right.

What worries me is that mwav scanner told me that I had a virus :

C:\Windows\system32\ftpupd.exe infected by NULL corrupter.

The "bugs" listed and removed by Malwarebytes' Anti-Malware do not include this.

#10 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 12 October 2008 - 04:25 PM

If you open up Malawarebytes and go to the Reports tag, can you see a report IN there that flags it up as you have never shown us that report?

The scan report you have just shown us appears to be clean and you have run it with up -to- date definitions?

#11 Reena

Reena
  • Topic Starter

  • Members
  • 391 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:12:47 AM

Posted 13 October 2008 - 04:38 AM

Ruby, I accidentally deleted earlier reports in malawarebytes.

It is mwav scanner that tells me that I have this virus:

C:\Windows\system32\ftpupd.exe infected by NULL corrupter.

I am beginning to wonder if this isn't a false positive.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users